Threema Is Now Open Source

This might be of interest:

Threema has just published their source code.

Details: https://threema.ch/en/open-source/

Source code on GitHub: https://github.com/threema-ch/threema-android

In case you wonder how a paid app can be open source:

The Threema apps are subject to the GNU Affero General Public License version 3. More details can be found in the source code repositories.

Please note that even though they may be compiled and modified freely, the Threema apps are still paid apps. An anonymous license check prevents the creation of Threema IDs on self-compiled apps. If you would like to use a self-compiled app, please restore the backup of an existing Threema ID. You can create Threema IDs and backups thereof using the purchased app.

If you have questions about the use of self-compiled apps or the license in general, feel free to contact us. We are publishing the source code in good faith, with transparency being the main goal. By having users pay for the development of the app, we can ensure that our goals sustainably align with the goals of our users: Great privacy and security, no ads, no collection of user data!

dc7ia

But is in open…source?

https://github.com/threema-ch/threema-android/tree/main/app/libs ?

Notwithstanding the freedom issues already pointed out, this is potentially concerning:

Please note that even though they may be compiled and modified freely, the Threema apps are still paid apps. An anonymous license check prevents the creation of Threema IDs on self-compiled apps. If you would like to use a self-compiled app, please restore the backup of an existing Threema ID. You can create Threema IDs and backups thereof using the purchased app.

If I am reading this correctly, this implies a self-compiled build of this app is useless without using the first-party build to create an ID. On the other hand, the README states:

While the source code for Threema for Android is published under an open source license, Threema is still a paid app. To run the app in combination with our official server infrastructure, you must have bought a license either on Google Play or in the Threema shop.
…
If you bought a Threema for Android license in the Threema Shop, you have received a license key. This license key can be used for license verification in the store_threema build variant.

If I’m reading this correctly, then a self-compiled build using this variant can use a license key bought from this shop, and should be as usable as the official build? The build is (allegedly) reproducible so a self-compiled build should function identically to an official build, I think?

I wonder what this “libgsaverification” library is needed for? I searched for it and found this library seems to exist in Telegram’s repo, too. Given that (I assume) the free variant of Telegram does not have this binary, is it needed here too? (edit: the commit that removed this in free-Telegram, looks like it’s probably not something we need)

At any rate, I get the impression that this is meant to be “look and don’t touch/fork” like Signal, and they would probably not welcome any attempt to get it on F-Droid, if it’s even wanted here.

Notwithstanding the freedom issues already pointed out and that must be fixed before inclusion, this doesn’t seem to be a “look and don’t touch/fork” source release. It seems that they just want to cover their server costs and thus want to charge every user. If the license can be acquired in their shop, a Threema-FOSS variant could be included in F-Droid.